German Federal Cartel Office vs. Facebook – The one who wins the battle might not win the war
The initial decision of the German Federal Cartel Office
The decision attracted worldwide attention: After 3 years of investigation, at the beginning of 2019, the German Federal Cartel Office ("FCO", Bundeskartellamt, Germany's antitrust authority) made an order which imposed far-reaching restrictions on Facebook with respect to its processing of user data . The order prohibited Facebook to use and implement terms of use that allow Facebook to collect and use user data and device-related data originating from the use of services other than Facebook (for example, WhatsApp) and to link such data with the data generated through Facebook accounts, unless the user has consented to such data processing according to the European General Data Protection Regulation ("GDPR") . In the opinion of the FCO, Facebook has a dominant market position in the market for social networks in Germany and against this background a user's consent does not comply with GDPR, if the user can use Facebook only if the consent is given, i.e. if agreeing to the described terms of use is prerequisite for the use of Facebook.
The decisions of German Courts
Facebook appealed to court. This caused a ping pong between the Düsseldorf Higher Regional Court ("DHRC", Oberlandesgericht Düsseldorf) and the German Federal Court of Justice ("FCJ", Bundesgerichtshof, Germany's court of last resort in criminal and civil law matters) in which it initially seemed as if Facebook would bear the palm. Facebook had not only appealed the FCO's decision but had also requested in summary proceedings to suspend that decision, and the DHRC, which is also responsible for the appeal proceedings, granted the suspension on the grounds that there were serious doubts about the legality of that decision . The DHRC did not share the FCO's view in several respects. Although it agreed that an abuse of market power can be brought about by a breach of law standards, it did not see any exploitation, nor did it see a causal relationship between a breach of the GDPR (if any) and Facebook's dominant market position. From a data protection view very interesting, the DHRC expressly considered it possible that at least parts of the data processing could be based on a legitimate interest of Facebook and it did not consider compliance with the GDPR relevant for the antitrust assessment.
An answer was not long in coming. Following a complaint by the FCO, the FCJ overruled the DHRC's decision and refused Facebook's request for suspension . However, although the FCJ took a significantly different view than the DHRC with regard to the antitrust questions, it also did not seem convinced that Facebook's compliance with GDPR would be decisive for the court case.
The turnaround came on 24 March 2021. At the hearing on the merits, the DHRC decided to refer GDPR compliance questions to the European Court of Justice ("ECJ"). A referral to the ECJ is only possible upon questions which are decisive for the court case. This means that, contrary to expectations, the DHRC now believes as well that GDPR compliance questions are decisive for the case and the ECJ will decide upon the GDPR questions submitted by the DHRC.
The role of the ECJ and the impact of its decision
The questions submitted by the DHRC have not yet been published. The extent to which the ECJ will make an assessment of whether Facebook's data processing practices violate the GDPR therefore remains to be seen. However, it is likely that the case will become a landmark in data protection jurisprudence. It touches upon a number of momentous GDPR questions, among them questions as to the meaning of Art. 7 Sec. 4 GDPR: Under which circumstances is it lawful to offer a service under the condition that the user consents to the processing of personal data that is not necessary for the performance of that service? Under which circumstances is a data processing activity necessary for the performance of a service? To which extent can this be defined by contractual terms?
Business models in the digital economy often base upon users "paying" services not with money but with their data, the use of which can be monetised by the service provider. This also applies to Facebook. Should the ECJ follow the FCO's approach, Facebook would have to offer the use of its platform also without the described data processing, as least as long as the user does not have access to equivalent alternative offers from third parties without such data processing. For Facebook, the possibility to be "paid" with data would therefore be limited.
It remains to be seen which economic consequences concerned service providers would draw in case of such development. In Germany, it can already be observed that certain digital offerings are provided by way of 2 alternatives, either against fees or against consent to user tracking. Will we see more of such type of offerings? In any case, things certainly remain exciting.
Article provided by: Kirsten Wolgast (Pinsent Masons, Germany)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)